Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco switches - cisco firewall tag

Cisco Catalyst 2960-S Series Switches OVERVIEW

June 24 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The CiscoCatalyst 2960-S Series Switches are fixed-configuration Gigabit Ethernet switches that provide enterprise-class Layer 2 switching for campus and branch access applications. They enable reliable and secure business operations with lower total cost of ownership through a range of innovative features including FlexStack, Power over Ethernet Plus (PoE+), and Cisco Catalyst Smart Operations.

Firstly, let’s check the contents of Cisco 2960-S while purchasing one.

Contents-of-Cisco-2960-S.jpg

Contens-of-Cisco-2960-S-Details.jpg

Catalyst 2960S-48FPD-L switch shown for example. Your switch model might look different.

2. Only available on some models.

3. Item is orderable.

Highlights

Cisco Catalyst 2960-S switches feature:

• 24 or 48 Gigabit Ethernet ports

• 1G Small Form-Factor Pluggable (SFP) or 1G/10G SFP+ slots

• Cisco FlexStack stacking with 20 Gbps of stack throughput (optional)

• IEEE 802.3at-compliant PoE+ for up to 30W of power per port

• Up to 740W of combined PoE/PoE+ budget

• USB interfaces for management and file transfers

• LAN Base or LAN Lite Cisco IOS Software feature set

• SmartOperations tools that simplify deployment and reduce the cost of network administration

• An enhanced limited lifetime hardware warranty (E-LLW), providing next-business-day replacement 

Applications and Benefits

The Cisco Catalyst 2960-S Series is ideal for:

• Deploying cost-effective wired connectivity in traditional desktop workspace environments

•Implementing quality of service (QoS) to provide priority treatment of voice and critical business applications

• Enforcing basic security policies to limit access to the network and mitigate threats

• Reducing total cost of ownership through simplified operations and automation

More…Cisco Catalyst 2960-S Series Switches with LAN Base Software

The Cisco Catalyst 2960S Switch with LAN Base software is a fixed-configuration, Layer 2 Ethernet switch that supports enhanced switching services, IP communications, and wireless networking for small and medium-sized businesses. These switches provide the performance, availability, and manageability that modern office environments demand, as well as the intelligence to support state-of-the-art business applications and security services.

What's new for the Cisco Catalyst 2960-S Series Switches with LAN Base Software:

• 10 and 1 Gigabit Ethernet uplink flexibility with Small Form-Factor Pluggable Plus (SFP+), providing business continuity and fast transition to 10 Gigabit Ethernet

• 24 or 48 ports of Gigabit Ethernet desktop connectivity

• Cisco FlexStack stacking module with 20 Gbps of throughput, allowing ease of operation with single configuration and simplified switch upgrade

• PoE+ with up to 30W per port that allows you to support the latest PoE+ capable devices

• Power supply options, with 740W or 370W fixed power supplies for PoE+ switches are available

• USB storage for file backup, distribution, and simplified operations

• A wide range of software features to provide ease of operation, highly secure business operations, sustainability, and a borderless network experience

• Limited lifetime hardware warranty, including next-business-day replacement with 90-day service and support 

The Cisco Catalyst 2960 Series Switches with LAN Base Software offer the following:

• Dual-purpose uplinks for Gigabit Ethernet uplink flexibility, allowing use of either a copper or fiber uplink; each dual-purpose uplink port has one 10/100/1000 Ethernet port and one SFP-based Gigabit Ethernet port, with one port active at a time

• 24 or 48 ports of Fast Ethernet desktop connectivity

• PoE configurations with up to 15.4W per port

• A wide range of software features to provide ease of operation, highly secure business operations, sustainability, and a borderless networking experience

• Limited lifetime hardware warranty

Configurations of Cisco Catalyst 2960-S Series Switches with LAN Base Software

Cisco Catalyst 2960-S Switch Model

Description

Uplinks

Available PoE Power

10 Gigabit Uplinks with 10/100/1000 Ethernet Connectivity

Cisco Catalyst 2960S-48FPD-L

48 Ethernet 10/100/1000 PoE+ ports

2 Ten Gigabit Ethernet SFP+ or 2 One Gigabit Ethernet SFP ports

740W

Cisco Catalyst 2960S-48LPD-L

48 Ethernet 10/100/1000 PoE+ ports

2 Ten Gigabit Ethernet SFP+ or 2 One Gigabit Ethernet SFP ports

370W

Cisco Catalyst 2960S-24PD-L

24 Ethernet 10/100/1000 PoE+ ports

2 Ten Gigabit Ethernet SFP+ or 2 One Gigabit Ethernet SFP ports

370W

Cisco Catalyst 2960S-48TD-L

48 Ethernet 10/100/1000 ports

2 Ten Gigabit Ethernet SFP+ or 2 One Gigabit Ethernet SFP ports

-

Cisco Catalyst 2960S-24TD-L

24 Ethernet 10/100/1000 ports

2 Ten Gigabit Ethernet SFP+ or 2 One Gigabit Ethernet SFP ports

-

1 Gigabit Uplinks with 10/100/100 Ethernet Connectivity

Cisco Catalyst 2960S-48FPS-L

48 Ethernet 10/100/1000 PoE+ ports

4 One Gigabit Ethernet SFP ports

740W

Cisco Catalyst 2960S-48LPS-L

48 Ethernet 10/100/1000 PoE+ ports

4 One Gigabit Ethernet SFP ports

370W

Cisco Catalyst 2960S-24PS-L

24 Ethernet 10/100/1000 PoE+ ports

4 One Gigabit Ethernet SFP ports

370W

Cisco Catalyst 2960S-48TS-L

48 Ethernet 10/100/1000 ports

4 One Gigabit Ethernet SFP ports

-

Cisco Catalyst 2960S-24TS-L

24 Ethernet 10/100/1000 ports

4 One Gigabit Ethernet SFP ports

-

Cisco Catalyst 2960S-STACK

Hot-swappable FlexStack stacking module

-

-

All models available with optional Cisco FlexStack stacking module.

No DC power supplies are available. 

Configurations of Cisco Catalyst 2960 Series Switches with LAN Base Software

Cisco Catalyst 2960 Switch Model

Description

Uplinks

Available PoE Power

1 Gigabit Uplinks with 10/100 Ethernet Connectivity

Cisco Catalyst 2960-48PST-L

48 Ethernet 10/100 PoE ports

2 One Gigabit Ethernet SFP ports and 2 fixed Ethernet 10/100/1000 ports

370W

Cisco Catalyst 2960-24PC-L

24 Ethernet 10/100 PoE ports

2 dual-purpose ports (10/100/1000 or SFP)

370W

Cisco Catalyst 2960-24LT-L

24 Ethernet 10/100 ports

2 Ethernet 10/100/1000 ports

123W

Cisco Catalyst 2960-24TC-L

24 Ethernet 10/100 ports

2 dual-purpose ports

-

Cisco Catalyst 2960-48TC-L

48 Ethernet 10/100 ports

2 dual-purpose ports (10/100/1000 or SFP)

-

Cisco Catalyst 2960-24TT-L

24 Ethernet 10/100 ports

2 Ethernet 10/100/1000 ports

-

Cisco Catalyst 2960-48TT-L

48 Ethernet 10/100 ports

2 Ethernet 10/100/1000 ports

-

1 Gigabit Uplinks with 10/100/1000 Ethernet Connectivity

Cisco Catalyst 2960G-24TC-L

24 Ethernet 10/100/1000 ports, 4 of which are dual-purpose (10/100/1000 or SFP)

4 dual-purpose ports (10/100/1000 or SFP)

 

Cisco Catalyst 2960G-48TC-L

48 Ethernet 10/100/1000 ports, 4 of which are dual-purpose (10/100/1000 or SFP)

4 dual-purpose ports (10/100/1000 or SFP)

 

Compact Switches

Cisco Catalyst 2960-8TC-L

8 Ethernet 10/100 ports; compact size with no fan

1 dual-purpose port (10/100/1000 or SFP)

 

Cisco Catalyst 2960PD-8TT-L

8 Ethernet 10/100 ports; compact size with no fan

1 10/100/1000 PoE input port

 

Cisco Catalyst 2960G-8TC-L

7 Ethernet 10/100/1000 ports; compact size with no fan

1 dual-purpose port (10/100/1000 or SFP)

 

Switch PoE and PoE+ Power Capacity

Switch Model

Maximum Number of PoE+ (IEEE 802.3at) Ports*

Maximum Number of PoE (IEEE 802.3af) Ports*

Available PoE Power

10 Gigabit Uplinks with 10/100/1000 Ethernet Connectivity

Cisco Catalyst 2960S-48FPD-L

24 ports up to 30W

48 ports up to 15.4W

740W

Cisco Catalyst 2960S-48LPD-L

12 ports up to 30W

24 ports up to 15.4W48 ports up to 7.7W

370W

Cisco Catalyst 2960S-24PD-L

12 ports up to 30W

24 ports up to 15.4W

370W

1 Gigabit Uplinks with 10/100/1000 Ethernet Connectivity

Cisco Catalyst 2960S-48FPS-L

24 ports up to 30W

48 ports up to 15.4W

740W

Cisco Catalyst 2960S-48LPS-L

12 ports up to 30W

24 ports up to 15.4W

48 ports up to 7.7W

370W

Cisco Catalyst 2960S-24PS-L

12 ports up to 30W

24 ports up to 15.4W

370W

Cisco Catalyst 2960-48PST-L

N/A

24 ports up to 15.4W

370W

Cisco Catalyst 2960-24PC-L

N/A

24 ports up to 15.4W

370W

Cisco Catalyst 2960-24LT-L

N/A

8 ports up to 15.4W

123W

* Intelligent power management allows flexible power allocation across all ports.

Why Buy Cisco Switches?

  • Flexibility: Variety of port and speed combinations including PoE.
  • Secure and Reliable: All the rock-solid performance you’d expect from Cisco.
  • Expandability: Cisco switches are designed to expand as your business grows.

More Cisco 2960-S Info you can visit:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/product_data_sheet0900aecd80322c0c.html

More Related Cisco 2960 Guides and Tips:

How to Configure the Voice VLAN Feature on the Catalyst 2960 and 2960-S Switches?

Upgrade a Cisco 2960 IOS with a Console Cable

Cisco Catalyst 2960 Series Enables Routing

More Popular Topics Related to Cisco Catalyst 2960-S FlexStack

Cisco Catalyst 2960 LAN Base Series & Catalyst 2960 LAN Lite Series

Cisco Catalyst Switch: How to Create and Delete VLAN on It?

Cisco Catalyst Access Switching

Read more

Cisco Catalyst 4948E Ethernet Switch for High-Performance Data Center Accesss

June 20 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Cisco Catalyst 4900 Series Switches deliver high-performance, low-latency wire-speed Layer 2 and 3 services in a small form factor (1 or 2 rack units). The 4900 Series is ideal for space-constrained deployments.

The Cisco Catalyst 4948E offers forty-eight 10/100/1000-Gbps RJ45 downlink ports and four 1/10 Gigabit Ethernet uplink ports and is designed to simplify data center architecture and operations by offering enterprise-class hardware and software in a one-rack-unit (1RU) form factor optimized for smart top-of-rack (ToR) data center deployments (Figure 1).

Figure1.Cisco Catalyst 4948E

Cisco-Catalyst-4948E-copy-1.jpg

New Features of Cisco Catalyst 4948E Switch

The Cisco Catalyst 4948E offers:

• Twice the uplink capacity of the previous switch generation

• 1+1 power supply and fan redundancy for hardware replacement with no downtime

• Strict front-to-back cooling with no side or top venting

• Large shared packet buffers for microburst protection

• Nonblocking internal packet switching for east-to-west traffic patterns

• Full set of Layer 2 and 3 forwarding features

• Outstanding multicast performance

• Zero-touch provisioning with Cisco IOS Embedded Event Manager (EEM)

• Advanced quality of service (QoS)

• IP Version 6 (IPv6) switching and routing in hardware

• Extended MAC address tables to enable server virtualization

Table 1 summarizes the main features of the Cisco Catalyst 4900 Series Switches.

Table1. Cisco Catalyst 4900 Series Features

Cisco-Catalyst-4900-Series-Features.jpg

Cisco IOS Software

The Cisco Catalyst 4948E supports three levels of Cisco IOS Software, summarized in Table2. The basic level is LAN Base, developed for deployments that require data center - class hardware along with Layer 2 switching. The next level of software is IP Base; most customers will deploy this level of software because it offers many of the value-added Cisco features that provide operational consistency and an easy-to-manage environment. The top level of software is Enterprise Services. Enterprise Services adds support for advanced routing protocols such as Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), and Enhanced Interior Gateway Routing Protocol (EIGRP).

Table2. Software Configuration Options

Enterprise Services

IP Base

• BGPv4

• EIGRP

• OSPFv2 and v3

• IS-IS

• IP-SLA

• Nonstop Forwarding (NSF)

• Policy-Based Routing (PBR)

• Virtual Route Forwarding Lite (VRF-Lite)

• Multicast VRF-Lite

LAN Base

• AutoQoS

• Cisco EnergyWise

• Flexlink+

• Layer 2 traceroute

• Multicast Listener Discovery (MLD) snooping

• Rapid Per VLAN Spanning Tree Plus (RPVST+)

• Static routing

• Routing Information Protocol (RIP)

• Cisco SmartPort macros

• VLAN access control list (VACL) and port ACL (PACL)

• EIGRP-stub

• OSPF for routed access

• IEEE 802.1Q-in-IEEE 802.1Q (QinQ)

• IP service-level agreement (IP-SLA) responder

• Network Mobility Service Protocol (NMSP)

• Layer 2 Protocol Tunneling (L2PT)

• Stub IP multicast

• Cisco IOS EEM

• Gateway Load Balancing

Protocol (GLBP)

More details: Ordering information for the Cisco Catalyst 4948E you can visit:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6021/ps10947/product_bulletin_c25-600212.html

For More Information

For more information about the Cisco Catalyst 4948E, visit http://www.cisco.com/go/4900.

More Cisco 4900 Info:

Cisco Catalyst 4900 Series Switches

Read more

Cisco Catalyst 3750-X Series Switches-Compare Models

June 17 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

 

Cisco Catalyst 3750-X Series Switches are designed to provide high availability, security, investment protection, high quality of service, energy efficiency, and simplified operation. These stackable switches are ideally suited to support demanding applications such as IP telephony, wireless, and video.

All models support network modules with four 1 Gigibit Ethernet (GE), two 10 GE Small Form-Factor Pluggable Plus (SFP+), or two 10GBase-T uplink ports.

All models include StackWise+ data stacking technology and StackPower capabilities for cross-stack power sharing,

Note: Cisco StackWise and StackWise Plus Technology

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_white_paper09186a00801b096a.html

With LAN Base Software

 With-LAN-Base-Software.jpg

With IP Base Software

 With-IP-Base-Software.jpg

With IP Services Software

With-IP-Services-Software.jpg

More Cisco 3750 Related:

Main Differences between Lines of Cisco 3750 Series Switches

How to Select Power Supply for Catalyst 3750-X Series and Cisco 3560-X Switch?

Cisco 3750 Stacking Configuration

CISCO Catalyst 3750 Family

How to Configure a Cisco 3750?

 

Read more

Cisco Betters Its Catalyst 2000 Line

June 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Most popular Cisco Catalyst 2000 line extended with 2960-X, which doubles stack ports and bandwidth, cuts energy use

Cisco this week upgraded its best-selling Catalyst switch by doubling its stacked port density, stacking bandwidth, buffers and CPU performance.

The new Catalyst 2960-X stackable Gigabit Ethernet switch builds on the foundation of the 3-year-old Catalyst 2960-S/SF. It is available in 24- or 48-port configurations, with 10G uplinks and a stacking capacity of 40G-80G.

Cisco says the Catalyst 2000 line is its best-selling Ethernet switch based on number of units and ports shipped.

The 2960-X is designed to keep that momentum going. In a fully stacked configuration of eight switches, the 2960-X supports 384 Gigabit Ethernet ports and Cisco claims the switch uses up to 80% less power than competitive offerings.

If all comparable switch ports sold in 2012 -- 230 million Cisco says, citing data from IDC -- were Catalyst 2960-X switch ports, the energy savings could shut down Hoover Dam for more than three years, power all households in San Francisco for more than three years, make 76 round trips to Mars in a Toyota Prius or reduce CO2 emissions by 7.5 billion pounds, Cisco claims.

Per-port power consumption on the Catalyst 2960-X is 0.9 watts, vs. 2 watts on the 2960-S/SF. Energy efficiency is achieved through support of the IEEE's Energy Efficient Ethernet standard, as well as Cisco's own EnergyWise software. The switches can engage in two modes of "hibernation" during downtime: downlink mode, which powers down less active links; and switch mode, which powers down the switch itself.

Cisco says a 2960-X can be powered down as low as 6 watts from 50-85 watts in switch hibernation mode.

Cisco-2960-X-series.jpg

The 2960-X can also be stacked with existing 2960-S/SF switches, Cisco says. Like the 2960-S/SF, it also supports Power over Ethernet (PoE) and PoE+.

Other features of the 2960-X include Layer 3 routing based on RIP, OSPF and EIGRP protocols -- the 2960-S/SF are Layer 2-only -- and application visibility through NetFlow-Lite, a less CPU intensive "NetFlow-like" traffic monitoring capability.

The Catalyst 2960-X is also built for network programmability by being "onePK-ready."Cisco onePK is the company's API toolkit for software-defined network programmability.

Cisco said the 2960-X will be onePK programmable later this year. The switch is not equipped with the UADP programmable ASIC unveiled earlier this year, but another Cisco chip optimized for Layer 2/3 processing.

The 2960-X will be available in July. It costs $1,895 in a 24-port configuration and $3,395 in a 48-port model.

---Article News from http://www.networkworld.com/news/2013/060413-cisco-catalyst-270415.html

More Related:

Cisco Catalyst 2960-X Series Switches Debut at Cisco Partner Summit

Cisco Catalyst 2960 LAN Base Series & Catalyst 2960 LAN Lite Series

Cisco Catalyst 2960 Series Enables Routing

What is Exact Cisco Catalyst 2960-S FlexStack?

More Popular Topics Related to Cisco Catalyst 2960-S FlexStack

Read more

Cisco ASA 5505 DMZ with Private VLAN Configuration

May 28 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The ASA 5505 is the only model that has an 8-port switch embedded in the device. All interfaces of the ASA5505 are Layer2 switch ports and thus they support some features that you can find on Cisco switches. One of these features is called “Private Vlan”.

 

The concept of “Private VLAN” is very useful in DMZ environments. Here is how it can be used: Let’s say you have a firewall with an Outside interface connected to Internet, an Inside interface connected to the secure LAN, and a DMZ Interface connected to a subnet which is hosting several publicly accessible servers (e.g Web Server, Email server etc). The DMZ servers are all on the same network subnet. Thus, if one of the DMZ servers gets compromised, then the attacker can easily use this hacked server as a “stepping-stone” to access the other servers in the DMZ. 

The above situation can be mitigated by using Private VLANs. Although the DMZ Layer2 VLAN number and Layer3 subnet will be the same for all servers, by designating each switch port of the DMZ as “Private VLAN” then the servers in the DMZ will not be allowed to communicate with each other.

Let’s see a diagram below to explain the concept of “Private VLAN”.

Cisco-ASA-5505-DMZ-with-Private-VLAN-Configuration.png

Let’s say we have an Cisco ASA5505 with three security Zones:

  • Outside Zone: Interface E0/0 in VLAN 10
  • Inside Zone: Interface E0/1 in VLAN 20
  • DMZ Zone: Interfaces E0/2, E0/3 in VLAN 30

Notice that in DMZ we have 2 publicly accessible servers (Web and Email Server) that they both belong in the same Layer2 vlan (VLAN30) and the same Layer3 network subnet (10.0.0.0/24).

If we don’t configure “Private Vlans”, then if the Web or Email server gets hacked, the attacker can access the other DMZ server as well. With Private VLANs, the Web and Email Servers can NOT communicate with each other although they are on the same Vlan and subnet. However, all other zones (outside and inside) are able to access the DMZ zone (and vice-versa) with no problems.

 

Configuration:

We are not going to see the complete config here, just the part that has to do with Private Vlan setup.

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 10
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 20
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

ASA5505(config-if)# interface ethernet 0/3
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

 

The command “switchport protected“ configures the specific physical ports as “Private VLANs”. All ports that are configured as Private Vlans cannot communicate with each other.

---Resource from http://www.tech21century.com

More…

How to Set up a Cisco ASA 5505 Firewall with a Wireless Router?

The Way to Activate Your Cisco ASA 5500

Cisco ASA 5520 Basic Configuration Guide

Configuring Static NAT on a Cisco ASA Security Appliance

Read more

How to Troubleshoot Nexus 5500s and 1 GE SFPs?

May 23 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The newer versions of NX-OS support 1G or 10G on the N5K, but the Nexus5000 is not auto-speed sensing. A mini case study follows.

 

One of my customers just put some GLC-SX-MM optics and a fiber patch between a Catalyst 3750 and a Nexus5000. He happened to look at status on Network Assistant on the 3750, and this error appeared:

Description: Gi1/1/1: This port has been disabled because Non Compliant Gigabit Interface Converter (GBIC) connector detected.
Recommendation: Replace connector with cisco compliant Gigabit Interface Converter (GBIC) connector. Refer switch technical documentation to determine cisco compliant connector. Enable the port again.

 

This seemed odd, since the GLC-SX-MM is supported on both devices. I tried shut/no shut on both ends of the port, but that did not help. I then wondered - does he have a bad SFP? I poked around a bit.

The CLI show log info on the 3750 switch was also unhappy:

*Apr 16 01:48:41.190: %PHY-4-SFP_NOT_SUPPORTED: The SFP in Gi1/1/1 is not supported
*Apr 16 01:48:41.190: %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi1/1/1, putting Gi1/1/1 in err-disable state

 

Strange, the GLC-SX-MM is supported on the Catalyst 3750. The interface capabilities looked fine:

3750_sw1#sh int gig 1/1/1 capa
GigabitEthernet1/1/1
  Model:                 WS-C3750X-48P
  Type:                  1000BaseSX SFP
  Speed:                 1000
  Duplex:                full
  Trunk encap. type:     802.1Q,ISL
  Trunk mode:            on,off,desirable,nonegotiate
  Channel:               yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol:           rx-(off,on,desired),tx-(none)
  Fast Start:            yes
  QoS scheduling:        rx-(not configurable on per port basis),
                         tx-(4q3t) (3t: Two configurable values and one fixed.)
  CoS rewrite:           yes
  ToS rewrite:           yes
  UDLD:                  yes
  Inline power:          no
  SPAN:                  source/destination
  PortSecure:            yes

  Dot1x:                 yes
3750_sw1#

 

The status on the 3750 was not connected:

3750_sw1#sh int gig 1/1/1 status
Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/1/1                      notconnect   1            auto   auto 1000BaseSX SFP
3750_sw1#

 

I then went to look at the N5K. It claimed it has an invalid SFP of an unkown type:

N5K1# sh int e1/5 status
--------------------------------------------------------------------------------
Port          Name               Status    Vlan      Duplex  Speed   Type
--------------------------------------------------------------------------------
Eth1/5        --                 sfpInvali 1         full    10G     SFP-1000BAS
N5K1#
N5K1# sh int e1/5 capa
Ethernet1/5
  Model:                 N5K-C5548UP-SUP
  Type (SFP capable):    10Gbase-(unknown)
  Speed:                 1000,10000
  Duplex:                full
  Trunk encap. type:     802.1Q
  Channel:               yes
  Broadcast suppression: no
  Flowcontrol:           rx-(off/on),tx-(off/on)
  Rate mode:             none
  QOS scheduling:        rx-(6q1t),tx-(1p6q0t)
  CoS rewrite:           no
  ToS rewrite:           no
  SPAN:                  yes
  UDLD:                  yes
  Link Debounce:         yes
  Link Debounce Time:    yes
  MDIX:                  no
  Pvlan Trunk capable:   yes
  TDR capable:           no
  FabricPath capable:    yes
  Port mode:             Switched
  FEX Fabric:            yes
N5K1#

 

The Nexus5000 also claimed there was no transceiver:

N5K1#sh log | inc 1/5

...
2012 Apr 6 18:10:26 N5K1 %ETHPORT-5-IF_DOWN_NONE: Interface Ethernet1/5 is down (None)
...
2012 Apr 6 19:06:10 N5K1 %ETHPORT-5-IF_HARDWARE: Interface Ethernet1/5, hardware type changed to No-Transceiver

 

I scratched my head a bit, and then came up with the underlying issue - when installing 1GE optics in the N5K, you need to manually set the speed. If you look back, you will see the previous 'sh int e1/5 status' on the N5K shows a speed of 10G. So after the appropriate "speed 1000" command to the e1/5 interface on the N5K, the link came up on both ends.

N5K1# sh int e1/5 stat
--------------------------------------------------------------------------------
Port          Name               Status    Vlan      Duplex  Speed   Type
--------------------------------------------------------------------------------
Eth1/5        --                 connected 1         full    1000     SFP-1000BAS
N5K1#

Summary: The newer versions of NX-OS support 1G or 10G on the N5K, but the N5K is not auto-speed sensing. If you run into something similar, even error messages on the remote device, check the port speed on the N5K.

---Resource from http://www.netcraftsmen.net

More…

Cisco Nexus Switches: Layer 2 Configuration Strategies

Cisco Nexus 6000 Switches: High-Density, Compact Form Factor

Cisco Catalyst 6500 vs. Cisco Nexus 7000 Switch

To Answer the Questions from Cisco Nexus 1000V InterCloud Users and Analysts

Cisco New ASR 5500 is for Next-Generation Mobile Internet

Read more

How to Configure AAA Authentication on Cisco ASA Firewall

May 15 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

AAA stands for Authentication, Authorization, and Accounting. AAA is a mechanism that is used to tell the firewall appliance who the user is (Authentication), what actions the user is authorized to perform on the network (Authorization), and what the user did on the network after connecting (Accounting). In this post we will focus on the first element of AAA (that is Authentication).

Types of Authentication supported on ASA appliances

Three types of Authentication are available for Cisco ASA firewalls:

1. User Authentication for accessing the security appliance itself.

2. User Authentication for accessing services through the security appliance. This is also called “cut-through proxy” and is used to authenticate users for accessing Telnet, FTP, HTTP, and HTTPs services located in the network through the firewall.

3. User Authentication for VPN tunnel access (IPsec or SSL VPN).

 

We will see a configuration example for the first type (authentication for accessing the security appliance for management using Serial Console, SSH, and Telnet access).

 

Authentication configuration example

In this example we assume that we have already installed and configured a AAA server (e.g Cisco ACS) running the TACACS+ authentication protocol. On the AAA server, we have configured a username/password account that the firewall administrators will use to authenticate. Assume also that the AAA server is located on our internal LAN network with address 10.1.1.1

Authentication-configuration-example.jpg

Referring to the figure above, the firewall administrator (Admin) requests firewall access (serial console, SSH, or Telnet) (Arrow 1) for managing the appliance. The ASA firewall (Arrow 2) will request Authentication permission from the AAA server in order to prompt the admin user for Username/Password credentials. After the Admin successfully enters his credentials, the AAA server will give the permission to the Firewall to allow the user in.

Here is the configuration below:

! Specify a AAA server name (NY_AAA) and which protocol to use (Radius or TACACS+)
ASA(config)#  aaa-server NY_AAA protocol tacacs+

! Designate the Authentication server IP address and the authentication secret key
ASA(config)#  aaa-server NY_AAA (inside) host 10.1.1.1
ASA(config-aaa-server-host)#  key secretauthkey

! Enable Authentication for management access
ASA(config)#  aaa authentication serial console NY_AAA LOCAL
ASA(config)#  aaa authentication telnet console NY_AAA LOCAL
ASA(config)#  aaa authentication ssh console NY_AAA LOCAL

 

The “LOCAL” keyword at the end designates the use of the local firewall username database for authentication in case the AAA server authentication is not available (e.g AAA server is down).

Of course, to complete the scenario above, you need to properly configure the AAA Server with the internal IP address of the ASA firewall and the same authentication key (e.gsecretauthkey) as the one you configured on the ASA above.

---Article reference from http://www.tech21century.com/configuring-aaa-authentication-on-cisco-asa-firewall/

More…

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

Configuring Static NAT on a Cisco ASA Security Appliance

EIGRP on a Cisco ASA Firewall Configuration

How to Set up a Cisco ASA 5505 Firewall with a Wireless Router?

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco 2960s Can Route

May 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

As of 12.2(55) SE, Cisco 2960s are layer 3 switches. Configuring Catalyst 2960s to route is pretty simple. The Switch Database Management template (SDM) needs to be changed to “lanbase-routing”. A reboot is (always) needed after changing the SDM template. After reboot, it’s just like enabling routing on any other L3 switch with the command “ip routing” from global config.

 

First we’ll change the SDM template:

SwitchA(config)#sdm prefer lanbase-routing

Changes to the running SDM preferences have been stored, but cannot take effect until the next reload.

Use 'show sdm prefer' to see what SDM preference is currently active.

SwitchA(config)#^Z

SwitchA#reload

System configuration has been modified. Save? [yes/no]: y

Proceed with reload? [confirm]

 

After changing the SDM template, we are reminded that we’ll need to reboot and also given a command to verify the change after the next boot.

 

Now we verify:

SwitchA#show sdm prefer

The current template is "lanbase-routing" template.

 The selected template optimizes the resources in

 the switch to support this level of features for

 8 routed interfaces and 255 VLANs.

  number of unicast mac addresses:                  4K

  number of IPv4 IGMP groups + multicast routes:    0.25K

  number of IPv4 unicast routes:                    4.25K

  number of directly-connected IPv4 hosts:          4K

  number of indirect IPv4 routes:                   0.25K

  number of IPv4 policy based routing aces:         0

  number of IPv4/MAC qos aces:                      0.125k

  number of IPv4/MAC security aces:                 0.375k

The change was successful and we’re given the details about this SDM template.

 

Now seems like a good time to touch on the limitations of the layer 3 capabilities on 2960s. As we see in the output above, we’re limited to 8 routed interfaces. These will be SVIs. At this point, the Cisco 2960s don’t support routed physical interfaces (“no switchport”). Another important note is that we’re only allowed 16 static routes and there is no dynamic routing capability.

 

Now we’ll enable IP routing and configure a couple SVIs:

SwitchA#conf t

SwitchA(config)#ip routing

SwitchA(config)#

SwitchA(config)#int vlan 15

SwitchA(config-if)#ip add 192.168.15.1 255.255.255.0

SwitchA(config-if)#

SwitchA(config-if)#int vlan 25

SwitchA(config-if)#ip add 192.168.25.1 255.255.255.0

SwitchA(config)#^Z

SwitchA#sh ip route

...

C    192.168.15.0/24 is directly connected, Vlan15

C    192.168.25.0/24 is directly connected, Vlan25

Even now, I’m still amazed that we can do this with a 2960. As expected, it’s working. We have two SVIs and we can see the routing table reflect this.

 

More Related Cisco 2960 Tips:

Cisco Catalyst 2960 Series Enables Routing

Cisco Catalyst 2960 LAN Base Series & Catalyst 2960 LAN Lite Series

How to Configure a Cisco 2960 Switch/Layer 2 Switch?

Layer 2 Switches & Layer 3 switches

Read more

How to Configure SNMP V3 on Cisco ASA and IOS?

April 28 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Here we will focus on SNMP V3 configuration on Cisco ASAs with a brief overview of an IOS configuration. This article assumes a basic understanding of SNMP and its operation.

 

The most common and sought after reasoning behind an upgrade to SNMP V3 is security. SNMP versions 1 and 2(c) transmit data between the SNMP server and the SNMP agent “in the clear”.

 

This makes your infrastructure and corresponding infrastructure devices far more vulnerable to attack and or misuse. Weak SNMP provides attackers with low hanging fruit they sometimes need for improved attack vectors.

 

SNMP V3’s focus was to improve this security flaw. SNMP V3 adds authentication and privacy options to secure its communication between SNMP servers and SNMP agents.

 

SNMP V3 Security Models

The authentication (auth) and privacy (priv) options are grouped into security models.

  • NoAuthPriv – no authentication and no privacy
  • AuthNoPriv – authentication and no privacy
  • AuthPriv – you guessed it – authentication and privacy

 

SNMP Groups

SNMP groups provide an access control policy to which users are added. The user will inherit the security model of the group. If the SNMP group “SEC3” has the AuthPriv security model, users assigned to it will inherit the AuthPriv security model.

 

SNMP Users

SNMP users are assigned a username, a group to which they belong, authentication password, encryption password, and associated algorithms to use.

Authentication algorithms are MD5 and SHA
Encryption algorithms are DES, 3DES, and AES (128,192,256)

 

SNMP Host

An SNMP host is the server to which SNMP notifications and traps are sent. SNMP V3 hosts require the SNMP server IP address and SNMP username. Each SNMP host can only have one username associated with it. The user credentials on the NMS (CiscoWorks, Solarwinds, etc.) must match the SNMP username credentials.

Configuring SNMP V3:

Note – the brackets <> are used to indicate a variable you assign a name to. I used these brackets to emphasize these important variables.

  1. Enable SNMP
    snmp-server enable
  2. Enable the SNMP traps (this will change depending on environment and business requirements). The following example enables all but this could be limited to a subset of traps.
    snmp-server enable traps all
  3. Create the SNMP group
    Note the following meanings:
    auth indicates authention only
    noauth indicates no authentication or encryption
    priv indicates encryption and authentication
    snmp-server group  <GROUPNAME> v3 {auth | noauth | priv}
  4. Create the SNMP user
    snmp-server user <USERNAME> <GROUPNAME> v3 encrypted auth md5 <AUTHENTICATION-PASSWORD> priv AES 128 <ENCRYPTION-KEY>
  5. Create the SNMP Server host
    snmp-server host <INTERFACE-NAME> <HOSTNAME> version 3 <USERNAME>

 

Full Configuration Example for the Cisco ASA (Version 8.4)

snmp-server group SEC3 v3 priv

snmp-server user SNMPUSER3 SEC3GROUP v3 encrypted auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server host mgmt 10.20.30.10 version 3 SNMPUSER3

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps ipsec start stop

snmp-server enable traps remote-access session-threshold-exceeded

 

Full Configuration Example for the Cisco IOS

snmp-server view SNMPMGR iso included

snmp-server group SEC3GROUP v3 priv read SNMPMGR write SNMPMGR notify SNMPMGR

snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server enable traps config

 

Note – in IOS you won’t see the following line:
snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

IOS hides the authentication password and encryption key from the “show run” and “show startup”.

 

More Information

Cisco Configuration Guide for ASA 8.4 and 8.6

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.html#wp1239780

Cisco Configuration Guide for ASA 8.4 and 8.6 PDF

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.pdf

---Reference from

http://www.gomiocon.com/2012/04/29/configuring-snmp-v3-on-cisco-asa-and-ios/

 

More Related Cisco and Networking TOPICS:

How to Configure SNMP on Cisco IOS-based Router/Switch?

Read more

Basic Interface Configuration of Cisco ASA 5520

April 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The Cisco ASA 5520 is one of the mid-range ASAs. 4 Gigabit Ethernet ports. Max 450 Mbps throughput under ideal conditions. Good for mid-sized offices. Has an expansion slot where you can install an add-on card that does content filtering (e.g. email and web) or intrusion prevention. Or you can install an expansion card that gives your ASA more physical ports.

 

The lowest-end ASA is the Cisco ASA 5505 model, which is a more like a switch with VLANs. But on the 5510 models and up, interface config is akin to that of a router.

 

Factory Default Settings on the ASA 5520

Out of the box, or with the configure factory-default command, the ASA 5520 is configured thusly:

Interface

Name

Security Level

IP Address

State

GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3

no nameif

no security-level

no ip address

Shutdown

Management0/0

management

100

192.168.1.1

Management-only

 

Configuration Example

On a Cisco ASA 5520 with a factory default config, a show run interface coughs up this information:

interface GigabitEthernet0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

 

With nothing configured on the interfaces, the routing table on a factory default ASA shows only the loopback interface:

ciscoasa(config-if)# show route

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    127.0.0.0 255.255.0.0 is directly connected, cplane

 

To make an interface operational, it needs a name, an IP address, a security level and it needs to be administratively brought up with the no shutdown command.

 

So let’s give the GigabitEthernet0/0 interface a name and an IP address.

ciscoasa# con t

ciscoasa(config)# interface gigabitEthernet 0/0

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 5.5.5.1

 

When an interface is named “outside”, the ASA automatically assigns the interface a security level of 0. If an interface is named “inside”, it is automatically given a security level of 100.

To view the config on all interfaces, use the show run interface command. To view just one interface, use theshow run interface command and specify the interface:

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 shutdown

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.0.0.0

 

Because I did not specify a subnet mask when I configured the IP address, the interface was automatically assigned a classful subnet mask. I can specify the subnet mask in the ip address command.

ciscoasa(config-if)# ip address 5.5.5.1 255.255.255.0

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 shutdown

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

 

When I am ready to bring the interface up, I use the no shutdown command.

ciscoasa(config-if)# no shut

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

 

The show run ip address command shows all interfaces that have IP addresses.

ciscoasa(config-if)# sh ru ip

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

The show ip address command also displays all IP addresses, along with the method used to configure the IP address. (“System IP Addresses” refer to the primary IP addresses used for failover. “Current IP Addresses” are the currently-used IP addresses on the interface(s). So, in an active/standby ASA pair, the active ASA would have the same “System” and “Current” IP addresses. The standby ASA would have different “System” and “Current” IP addresses.)

ciscoasa(config-if)# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual

Management0/0            management             192.168.1.1     255.255.255.0   manual

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual

Management0/0            management             192.168.1.1     255.255.255.0   manual

 

After a write memory and a reload, when you do show ip address, the “Method” on these manually-configured interfaces changes to CONFIG, signifying that they were loaded from the startup config:

ciscoasa# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

 

Now a show route command displays the directly-connected route to the 5.5.5.0 subnet.

ciscoasa(config-if)# sh ro

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    5.5.5.0 255.255.255.0 is directly connected, outside

C    127.0.0.0 255.255.0.0 is directly connected, cplane

 

From the show run interface command, we can see that there is nothing configured on the g 0/1 interface. Let’s set it as a DHCP client and bring it up.

ciscoasa(config-if)# sh ru int g 0/1

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip add dhcp

ciscoasa(config-if)# no shut

 

The show run interface command will show that g 0/1 is a DHCP client, but it will not display the dynamically-assigned IP address on the interface. To view the DHCP IP address, use the show ip address command.

ciscoasa(config-if)# sh ip add

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Note that the “Method” for g 0/1 is “DHCP”.

You can also display all IP addresses on all interfaces with the show interface ip brief command.

ciscoasa(config-if)# sh int ip b

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0         5.5.5.1         YES CONFIG up                    up

GigabitEthernet0/1         10.30.1.101     YES DHCP   up                    up

GigabitEthernet0/2         unassigned      YES unset  administratively down down

GigabitEthernet0/3         unassigned      YES unset  administratively down down

Internal-Control0/0        127.0.1.1       YES unset  up                    up

Internal-Data0/0           unassigned      YES unset  up                    up

Management0/0              192.168.1.1     YES CONFIG down                  down

Virtual254                 unassigned      YES unset  up                    up

 

More Related Cisco ASA Tips:

Cisco ASA 5520 Basic Configuration Guide

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more
<< < 1 2 3 4 5 6 7 8 9 10 > >>